The threat cycle begins with an e-mail advertising a new extension that: "...will help you to better organize your documents received in your e-mail." The e-mail includes a link which leads to a fake Google Chrome extensions page. This page presents a link not to an extension (which has a .crx file extension) but to a trojan horse program with a .exe file extension.

The trojan modifies the Windows HOSTS file to block access to Yahoo's and Google's pages. They are instead redirected to fake versions of those sites. BitDefender identifies the threat as Trojan.Agent.20577.

It's important to note that Chrome really plays no role in this threat.